Sunday, July 1, 2012

Ransomware is on the rise again, no doubt about that. Cyber security experts’ predictions were correct. Apparently they know this stuff very well. Seriously, you have to respect them. They also said that ransonware will probably hit smart phones too. We haven’t seen any of these yet but it’s probably just a matter of time.

Anyway, today we’re looking at the FBI MoneyPak virus or Trojan if you like. Most people nowadays don’t really know you to properly describe malware. I don’t know what it is, so let’s just call it a virus. Education is the key guys, especially when it comes to PC security. So, let's make things sparkling clear. If your computer screen is filled with a FBI warning page that claims you have to pay the $100 fine, you’re infected with ransomware. It’s not a virus. It can’t delete your files or inject .doc files.

Most of the time, ransomware locks up user’s desktop, disables task manager and other system utilities to avoid the termination. However, FBI MoneyPak ransomware takes it to the entirely new level by adding a little video recording square in the top right corner of the fake FBI warning page. It supposed to be your built-in web camera. The funny thing is that this little square shows up even if your laptop doesn’t have a built-in camera.

We have to admit that FBI MoneyPak is a very convincing looking scam/fraud. It has the official FBI logo at the top and lists victim’s IP address, location, and the name of your ISP. The fake warning claims that your PC has been locked by FBI because you downloaded or distributed copyrighted material or viewed child pornography. Creepy, isn’t it? Now, if you don’t pay the fine you will go to jail. What is more, you have only 72 hours to buy MoneyPak cash top-up card from Walmart or Kmart.

Cyber crooks are truly imaginative guys, aren’t they? Most people start to panic when they see such fake FBI warnings. You can’t let anyone know this happened; otherwise you can get arrested or even worse – have a criminal record or listed as a registered sex offender. Let’s image this happens at work. Would you tell your colleagues about that? Probably not. And this scheme really works. Cyber crooks want you to act immediately on your first impulse. I know it cruel but it works. Most importantly, don’t panic. Take a deep breath and think about it for a second. If you had done ether of those the punishment would probably be drastically more dire than just a simple $100 fine, right? Just don’t fall into the scam.

FBI MoneyPak virus removal is relatively easy for anyone with above average computer skills. This ransomware doesn’t inject explorer.exe. It injects iexplorer.exe and downloads additional files from remote web servers. It makes numerous modifications to the system. The virus actively monitors Task Manager and loads newly created Desktop with the fake FBI warning. Please note, there is no restore operation, so the desktop will never be reverted back to previous state. That means, even if you pay the ransom, the fake FBI warning won’t go away.

FBI MoneyPak ransomware is distributed using the Blackhole exploit kit. Simple visiting an infected website is enough to trigger this exploit kit which will download a malicious DLL file onto your computer.

This ransomware downloads the fake warning from the internet so if you simply unplug your network cable and manually turn your computer off the virus won’t show up after the reboot (at least it shouldn’t). Another way to remove FBI MoneyPak virus is to reboot your computer in Safe Mode and remove malicious registry keys and files manually. One way or another, you MUST scan your computer with legitimate anti-malware software properly remove this ransomware and its remnants. By the way, Kaspersky or Dr.Web rescue CDs should work just fine in this case too.

To remove FBI MoneyPak ransomware from your computer, please follow the steps in the removal guide below. If you need extra help removing this malware, please leave a comment below. Good luck and be safe online!

http://deletemalware.blogspot.com

Guide Updates:

08/17/12 - Cyber crooks have changed payment methods.

Now, the payment should be delivered through Ultimate Game Card instead of GreenDot MonayPack. It still remains unclear if they made a permanent switch to this service or not. So, from now on it's the FBI Ultimate Game Card ransomware scam rather than MoneyPak. Ultimate Game Card service is powered by paybycash.com. It allows you to pay for thousands of online games without requiring personal information. This service is legitimate. Anyway, we think most people will find this odd because we can hardly image that FBI would actually choose Ultimate Game Card as their official finance partner.

Another variant of the FBI ransomware, FBI Anti-Piracy Warning:

One more thing, FBI virus or FBI MoneyPak scam or whatever you want to call it, it's just a name and it doesn't represent the same malware all the time. There are at least four different malware groups that use fake FBI or Police virus warning messages and they all have the same goal: to trick you into buying a MoneyPak card. However, technically speaking they are not the same. They all operate in slightly different ways, so I'm afraid there's no easy one-click removal solution at the moment.

2. Make sure you log in to an account with administrative privileges (login as admin).

3. Once the Command Prompt appears you have few seconds to type in explorer and hit Enter. If you fail to do it within 2-3 seconds, the FBI MoneyPak ransomware will take over and will not let you type anymore.

4. If you managed to bring up Windows Explorer you can now browse into:

1. Power off and restart your computer. As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.

NOTE:Login as the same user you were previously logged in with in the normal Windows mode.

2. Once in there, go to Start menu and search for "system restore". Or you can browse into the Windows Restore folder and run System Restore utility from there:

1. Power off and restart your computer. As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.

NOTE:Login as the same user you were previously logged in with in the normal Windows mode.

2. Once in there, go to Start menu and search for "msconfig". Launch the application. If you're using Windows XP, go to Start then select Run.... Type in "msconfig" and click OK.

3. Select Startup tab. Expand Command column and look for a startup entry that launches randomly named file from %AppData% or %Temp% folders using rundll32.exe. See example below:

NOTE:Login as the same user you were previously logged in with in the normal Windows mode.

2. When Windows loads, open up Windows Registry Editor.

To do so, please go to Start, type "registry" in the search box, right click the Registry Editor and choose Run as Administrator. If you are using Windows XP/2000, go to Start → Run... Type "regedit" and hit enter.

3. In the Registry Editor, click the [+] button to expand the selection. Expand:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Look on the list to the right for an randomly named item. Write down the file location. Then right click the randomly named item and select Delete. Please note that in your case the file name might be different. Close Registry Editor.

In our case the malicious file (pg_0rt_0p.exe) was located in Application Data folder. So, we went there and simply deleted the file. We're running Windows XP.

File location: C:\Documents and Settings\Michael\Application Data\

If you are using Windows Vista or Windows Seven, the file will be located in %AppData% folder.

File location: C:\Users\Michael\AppData\Romaming\

Finally, go into Windows Temp folder %Temp% and click Date Modified so the newest files are on top. You should see an exe file, possibly with the name
pg_0rt_0p.exe (in our case it was exactly the same), but it may be different in your case. Delete the malicious file.

One more thing, check your Programs Startup list for the following entry:

In our case it was ctfmon.lnk pointing to malicious file which then loads the fake ransom warning. Please note that in your case the file name might be different, not necessarily ctfmon.lnk. Simply disable or remove (if possible) such entry and restart your computer.

4. Restart your computer into "Normal Mode" and scan the system with legitimate anti-malware software.

This scared the hell out of me this morning. I thought I accidentally clicked on some nasty porn at some point in time, but I asked a friend and he said it was a fraud and now I'm reading this and I'm extremely relieved.

Im not able to go into safe mode or safe mode with networking and get a browser. I get the same fbi moneypak message in safe mode with networking. in safe mode i get a page will load in 30 seconds please wait. any suggestions?

I had this malware show up and took my computer to "The Geek Squad" a local computer service center. When I retrieved my computer it appears the computer was set back to it's factory condition. My Office program is gone and all my Outlook and document files. They did not do a backup I was told. Can, and how, can I recover my Office program, Outlook files and my documents. Please, please help.

I got hit with this Ransomware yesterday. I lost all control and could not use the regedit tool, could not regain windows, and could not set the computer back to an earlier safe date. Finally regained control of registry edit by burning a maleware disk on another computer (Kaspersky Rescue Disk) and rebooting to read from the disk. The disk scan found nothing (downloaded file was not updated for this maleware) but the register edit function let me find the offending file and to delete it.

Then rebooted to Windows from the hard drive and immediately updated Kaspersky and ran it to find one more remnant. Then used free version of HitmanPro from a USB drive to run a scan and found another remnant (each program found one copy in various directories). Running a final scan with Rogue Killer, but no nefarious hits. I am back in business--but what a chore.

First of all, Geek Squad isn't local, it's Best Buy's tech service center. Second of all, the easiest way to remove a virus is to wipe the system and reinstall the OS, in which case, your programs need to be reinstalled manually. This is the common solution.

WELL! It's a bit different for me, but I am GLAAAAAAD to have found this site!

It didn't have a video recording box, so i guess it's smart enough to see if your comp has one connected.

Also, I was torrenting a game (yeah, illegal, I know) at the time, so when I came back after an hour and saw the FBI logo, I was a bit psyched out. All I've done so far is restart my computer without internet connection, so let me go meddle with these bastards' file. More later if I've failed.

Excelent help tutorial. I found the file on the appdata\ roaming on the user folder. Is kind of easy to found if you look for the exe files at the same date that your computer start to show the fbi message. Thanks for the help.

i tried with power eraser on my norton but it wouldn't work. Norton said i had to buy a 100 dollar kit.I went instead to system restore on home vista and it worked fine.Norton should have a block for this virus as common it is. thanks for the help

I think this malware has been recoded to make it more difficult to remove. My brother got this a few days ago with the demand for $200. We tried both the removal methods outlined above. Couldn't get into the registry editor. Then removed the boot drive from his system and installed as a slave drive into an uninfected system. Successively ran Avast and Malwarebytes on the infected drive. Each removed between 40-50 infected files. When the cleaned drive was reinstalled in his system, Windows would boot but the desktop would not display. Attempts to repair the Windows 7 installation were unsuccessful so we ultimately reinstalled Windows and all the apps. What a nightmare!

Very nice...These instructions were successful for a Windows 7 computer running in Safe mode. The location of the registry entry was the same as specified here. The infected file was /appdata/local/temp/msconfig.exe which differs from the example. Deleting the registry entry for msconfig.exe and then deleting the file from the ../temp folder worked. Many thanks....

I had PCtools spydoctor. It not only didn't stop the virus, after scanning it couldn't even identify I had a virus. After their tech's "help" the program said it was removed, well, it wasn't. Finally theit techs admit the software desn't work, but they're working on improving it. As long as this virus has been around and they can'[t admit upfron their product doesn't work and won't as yet.

Found the culprit(s) while running from SafeMode on XP. The regedit showed an application called SHELL and it was located in DocSettgs/John/AppData/wlshjkhe.Before i deleted that i went to that Applications Data folder and in addition found three other randomly named files FROM THE SAME DATE (yesterday). Deleted those four then went back to regedit to delete the Shell. Worked like a charm. After a couple hours of scanning and searching for answers, your fix worked in 5 minutes. You are a life saver. We should send you a Moneypack! lolz

##################################Audit events have been dropped by the transport. 0##################################

Event Xml:

1101 0 2 101 0 0x4020000000000000

40050

A PROCMON trace or an active Task Recorder, and possiblyNETMON, would have shown what this was (probably bogus lsass.exe)!

Security xxx

0

Note that the bogus screen did NOT appear until an Internet connection was established,so even if it was collecting data (I saw 5 DSNs and 2 DIRs updated during this time B 4 rstrui.exe), it had no way to transmit it. Further, using dial-up, that slowed down any transmissions a thousand-fold. Just another reason to NOT auto-connect to the Internet during boot, especially with a fast speed.

In a way, I have to thank this trojan. It made me move to ONLY surfing the 'Net viathe GUEST LID, and to increase my tracking defenses.

This is very profile dependent. If you can login to the administrator account create another user ( call it whatever you'd like) Restart the PC and login with the new ID then your documents and settings to that ID.

...but since Permissions is needed anyway (to block external drives, whether or not a password is used), why not just use the pre-defined GUEST LID (turn on) which has the least allowances and, as u said, re-do your profile,etc settings...

. they CLEVERLY call themselves what Windows just reported on, and tho it's NOT from Security, it's similar & near enough, so a person may ASSUME, tho it's an Error event, that THEIR infected event entry is just part of a "normal" Windows boot !!! :(

Ran System Restore, deleted registry items, ran four different antispy antivirus softwares and this morning Bogus FBI is back! Surely a top level MS programmer can defeat these Romanian hacker criminals??

this thing starts really fast but you can stop it if you restart your computer during boot and run startup repair. im not sure the exact details of what i accomplished by doing this, but after running startup repair and logging on normally(no need to system restore if u dont use it like me), the virus didnt run as intended. on windows 7 it tried to install a new driver for some unknown hardware which i think was somehow linked to it. but otherwise no more hijacking. computer runs well enough to install malware bytes and am currently running the scan. hope this helps somebody out.

If you don't get the option to reboot in safemode with F8 and are unsure as to what your PC's specific hotkey for this is, boot your computer to the login screen then hold down your power button until the PC shuts off. This improper shut down will give you the option to reboot in safemode when you turn it back on.

I did this, then a quick scan and removed the bulk of it, rebooted back to regular windows and cleaned up the rest manually.

My laptop was attacked by the moneypack ransomeware late tonight. I tried to reboot using safe mode unsuccessfully. Kept going back to the frozen "FBI" warning. Tried getting on in safe mode with command prompt. I was able to somehow get onto the system restore, following your instructions above. It worked perfectly, got back to my desktop and am now runnning my anti-virus scan then will do the direct download above to remove any remnants of the virus. I am SO grateful for your help! I have a Windows 7 operating system, and am only moderately adept at the computer, but went very slowly and carefully and followed your directions. Thank you again.

Hi I received this wonderful virus yesterday. I tried to go in safemoe but cannot. Nor safe mode w/command prompt. I found a way to system restore by clicking "Repair your computer". It made me log in, then i was tahen to a list of repair choices to oinclude system restore. I have run it several times and I get the message that system restore did not complete successfully. I also did as you initially said. I disconnected the internet from the modem and rebooted which did not change anything. Please help!!!

7) navigate to hkey_current_user\software\microsoft\command processor and find the "autorun" key. The value to the right of it is where the virus is.

8) Switch to your CMD window and DEL your virus file.

9) Swtich back to your registry window and delete the "autorun" key.

10) There is probably another pointer to the (deleted) virus in HKCU/Software/Microsoft/Windows/CurrentVersion . Delete it.

11) Navigate to HKCU/Software/Microsoft/Windows NT/CurrentVersion/Winlogin and look at the "Shell" key. The value may be: cmd.exe , which would boot you to a black CMD window. Change this value to: explorer.exe so you will reboot into your normal looking windows.

12) Reboot as normal. You should log in fine. Run your antivirus software.

OK... read and tried all the suggestions above. Even tried the "hit CNTL C like mad", to no avail. White ICE screen reappears upon reboot. Running Windows 7. Can get into Safe mode with internet unplugged, but not much else. Any suggestions?

Thank you for the post. I managed to remove the FBI virus from the registry using Method 1 but with modifications. This way you don't have to worry about not being able to type faster than the virus.

First make sure the computer is not connected to the internet. Then use Method 1 Step 1 to boot up in Safe Mode with command prompt. When the command prompt window appears, close the command prompt window by clicking 'X'. Then it will go to blank screen in safe mode. Press CTRL + ALT + DEL to bring up the task manager and click "Task Manager". Task manager will load and click on FILE then NEW TASK(RUN), that's where you can type in the command to run the System Restore as pointed out in the blog.

Choose your restore point and let it run. Once the restore process is done, Windows should run properly. Download software "RougeKiller" to remove the registry entry of the virus.

Thanks to the author of the blog without which I would not have recovered the computer.

Just a recent update on how I defeated this ransomware virus. It was really a combination of several suggestions.

First, my symptoms so you can compare. Mine was an NSA Ransom. It would not let me start Safe Mode, Safe with Networking, or Safe with Command Prompt. Reading through the comments I saw where repeatedly holding down CTRL and tapping "C" very quickly you could shortcut the Ransomware's hijacking of the Comand Prompt. Note, I typed in my admin account name and started the CTRL+C action as soon as I hit "Enter". I did this for about 60 seconds and nothing seemed to happen, so I stopped and pressed CTRL-ALT-Delete all at once like one of the very last commenters said. Then when the task manager came up I selected "New Task". This opened my command prompt, into which I typed "cmd \d" Once in there I typed "%systemroot%\system32\restore\rstrui.exe" because I use Win XP and typing simply "rstrui.exe" didn't work. Did a system restore and regained control of my system. Afterwards I ran a full Malwarebytes scan several times. It did not catch all the infected files the first pass. The third pass it came up clean.

hi can someone pleae tell me how to remove this virus from my table? yeah it's a smart phone table whatever you'd like to call and it's samsung....I wanted to know how i can remove this stupid virus from it?

cassandra, so far everyone seems to be saying the virus is a "Tablet Killer" .. that is your table is a paper weight now.... I see the problem in that tablets are running "android" and dont seem to even have a task manager which one can jump into... let alone a keyboard to type ctl-alt-del from

So I AM NOT HELPING. I am new to tablet computeing but am somewhat of an old time expert hobbyist on MS Windows... I saw this virus years ago and simply deleted it everytime then cleaned all my cookies... that was over two years ago and i still do nothing but delete my cookies to get rid of it (after killing the browser task it is in.)

But I am getting alot of young friend with this crap on their tablets, they come to me the old guy all of a sudden now that no one else can help them.. but i aint shit on tablets or Android.... So now I am learning... and I want to say thanks to the guy who has this blog ... bookmarking..

the question is how come android does not have a task manger that you can get into with just a button push?... looks like a design flaw... if it is a design flaw you should sue the company... lol

I had this FBI virus on my Galaxy for months and the screen was locked with the FBI virus !!! How I fixed it was to let the battery almost die and click Battery Usage when it came on the screen, go to Android and hit yhe flash player link and Force stop !!! That worked but now the Virus has gotten stronger ! It looks different and makes a siren sound and when the battery gets low it will not show anymore the phone will just shut off !!! :/ Time for a Mee phone !!!

For those of us on a kindle fire,WITH a password,all you need to do is type in the password around 5 times,and then there should be a small menu that comes up,then press reset,which resets your Kindle Fire (Please note: You will have to Re-register the Kindle Fire)

Blog Archive

Blogroll

Rate This Blog or Leave a Review

About Me

Hi there, and welcome to my humble web presence. I'm Michael Kaur. Malware squasher, geek, and blogger based in Los Angeles, CA. If you'd like to contact me, the easiest way is through email given below or Google+. Simply add me to your Google Plus circles.

DisclaimerThis is a self-help guide. Use at your own risk. Deletemalware.blogspot.com can not be held responsible for problems that may occur by using this information.

About the blogThis blog provides reliable information about the latest computer security threats including spyware, adware, browser hijackers, Trojans and other malicious software. We do NOT host or promote any malware (malicious software). We just want to draw your attention to the latest viruses, infections and other malware-related issues. The mission of this blog is to inform people about already existing and newly discovered security threats and to provide assistance in resolving computer problems caused by malware.